DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office action is in response to the amendment, arguments and remarks, filed on 5/13/2021, in which claim(s) 1-20 is/are presented for further examination.
Claim(s) 1, 7 and 13 has/have been amended.

Response to Amendments
Applicant’s amendment(s) to claim(s) 1, 7 and 13 has/have been accepted.  Support was found in at least [0033] and [0076] of the specification.

Response to Arguments
Applicant’s arguments with respect to claims 1-20, filed on 5/13/2021, have been fully considered but they are not persuasive.  Accordingly, this action has been made FINAL.

Applicant’s arguments with respect to the rejection(s) of claim(s) 1-20 under 35 U.S.C. 102(a)(1), see page 8 to the top of page 9 of applicant’s remarks, filed on 5/13/2021, have been fully considered but they are not persuasive.
Applicant is merely arguing the newly added limitations in the claim that were not previously presented.  The examiner respectfully disagrees.  Please see the corresponding section of the rejection below.


Additionally, throughout the analysis of Coates the Examiner appears to be relying upon "common knowledge" or "well known" principles or "Official Notice" or other information within the Examiner's personal knowledge to establish a rejection. For example where, throughout the analysis, the examiner sets forth that a term in Coates is equivalent to a claim term (e.g., an event processing system that processes machine data from different sources being equivalent to a protected endpoint, a format being equivalent to a type, access control information being equivalent to an endpoint agent requiring the endpoint device to comply with particular criteria before being granted access to network resources, defining a schema which includes a source of event data and a source type of event data as equivalent to entity identifier elements, indexing and storing event data and source type as equivalent to classifying entity identifier element to provide a classified entity identifier element). Applicant respectfully request that the Examiner cite a reference or provide an affidavit in support of the position in accordance with M.P.E.P. § 2144.03 and 37 C.F.F. 1.104(d)(2).

See the middle of page 9 of applicant’s remarks, filed on 5/13/2021.
The examiner respectfully disagrees.  The examiner did not rely upon “common knowledge”, “well known” principles or “Official Notice” as applicant alleges.
In the claims, dated 10/27/2020, claim 1 (and similarly in claims 7 and 13) recite “the protected endpoint comprising an endpoint agent executing on an endpoint device, the endpoint agent requiring the endpoint device to comply with particular criteria before being granted access to network resources”.
The examiner would like to point out that the clause, “particular criteria before being granted access to network resources”, can be broadly interpreted.
“Endpoint” is not specifically defined in the claim.  According to [0032] of applicant’s specification, “[a]n endpoint device 304, as likewise used herein, refers to an information processing system such as a personal computer, a laptop computer, a tablet computer, a personal digital assistant (PDA), a smart phone, a mobile telephone, a digital camera, a video camera, or other device that is capable of storing, processing and communicating data….”

“Endpoint agent” is not specifically defined in the claim.  According to [0031] of applicant’s specification, “…an endpoint agent 306 broadly refers to a software agent used in combination with an endpoint device 304 to establish a protected endpoint 302….”
Coates, [0152] discloses an event processing system that processes machine data from different sources to represent machine data as events, where the examiner interpreted the “different sources” as “protected endpoints”.  In this case, the machine data from the different sources must be stored on some device, most likely a server, which would be “an information processing system such as a personal computer, a laptop computer, a tablet computer, a personal digital assistant (PDA), a smart phone, a mobile telephone, a digital camera, a video camera, or other device that is capable of storing, processing and communicating data” per applicant’s specification.
Coates, [0145] discloses entity definitions associating an entity with machine data, where the machine that produces the machine data is interpreted as the “endpoint device” and whatever sends the machine data is being interpreted as the “endpoint agent”, which would be the software on the “endpoint device”, where “…an endpoint agent 306 broadly refers to a software agent used in combination with an endpoint device 304 to establish a protected endpoint 302….” per applicant’s specification.
Coates, [0470] discloses security related information for the endpoint includes access control information and login/logout information and access failure notification, where the security related information disclosed all deal with allowing access to the network only when 
Coates, [0152] and [0153] disclose processing machine data to represent machine data as events including a schema to the events and extracting fields defined by the schema including a source of the event data and a source type for the event data and indexing and storing them and establishing associations between the entity and machine data, where the processing of the data and putting it into a schema requires sifting through the data, deciding what it represents and storing it in the appropriate place, which is another way of saying “classifying/classification”.
Thus, the examiner did not rely upon “common knowledge”, “well known” principles or “Official Notice” as applicant alleges, but rather it would seem that applicant did not understand the examiner’s interpretation of the reference, which, to the examiner seemed rather straightforward and plain meaning.

Information Disclosure Statement
The information disclosure statement(s) (IDS), submitted on 5/13/2021, is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered by the examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective 

Claim(s) 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Coates et al., US 2016/0147380 A1 (hereinafter “Coates”) in view of Shiraishi, US 6,678,693 B1 (hereinafter “Shiraishi”).
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.

Claims 1, 7 and 13
Coates discloses a computer-implementable method for resolving an identity of an entity, comprising:
receiving a stream of events from a protected endpoint, the stream of events comprising a plurality of events (Coates, [0152], see event processing system that processes machine data from different sources [i.e., protected endpoint] to represent machine data as events), the protected endpoint comprising an endpoint agent executing on an endpoint device (Coates, [0145], see entity definitions associations an entity with machine data, where the machine that produces the machine data is interpreted as the “endpoint device” and whatever sends the machine data is being interpreted as the “endpoint agent”), the endpoint agent requiring the endpoint device to comply with particular criteria before being granted access to network resources (Coates, [0470], see security related information for the endpoint include access control information and login/logout information and access failure notification [i.e., all deal with allowing access to the network only when authorized]), the protected endpoint providing a policy-based approach to network security (Note: This clause is an intended use/recited purpose and does not add patentable weight to the claim.  In this case, if the cited reference discloses “[a] protected endpoint comprising an endpoint agent executing on an endpoint device, the endpoint agent requiring the endpoint device to comply with particular criteria before being granted access to network resources” then the natural result will be “[a] protected endpoint providing a policy-based approach to network security” as recited.  In other words, if those steps are disclosed then this clause will naturally result and, thus, satisfy the language, see MPEP 2111.02(II): …In re Otto, 312 F.2d 937, 938, 136 USPQ 458, 459 (CCPA 1963) (The claims were directed to a core member for hair curlers and a process of making a core member for hair curlers. The court held that the intended use of hair curling was of no significance to the structure and process of making.); In re Sinex, 309 F.2d 488, 492, 135 USPQ 302, 305 (CCPA 1962) (statement of intended use in an apparatus claim did not distinguish over the prior art apparatus). To satisfy an intended use limitation which is limiting, a prior art structure which is capable of performing the intended use as recited in the preamble meets the claim. See, e.g., In re Schreiber, 128 F.3d 1473, 1477, 44 USPQ2d 1429, 1431 (Fed. Cir. 1997) (anticipation rejection affirmed based on Board’s factual finding that the reference dispenser (a spout disclosed as useful for purposes such as dispensing oil from an oil can) would be capable of dispensing popcorn in the manner set forth in appellant’s claim 1 (a dispensing top for dispensing popcorn in a specified manner)) and cases cited therein. See also MPEP § 2112 - MPEP § 2112.02);
parsing entity identifier information associated with the entity to provide an entity identifier element (Coates, [0152], see processing the raw data from the events including a timestamp for the event data; a host from which the event data originated; a source of the event the entity identifier information comprising temporal information (Coates, [0152], see timestamps for the event data);
classifying the entity identifier element to provide a classified entity identifier element (Coates, [0152] and [0153], see processing machine data to represent machine data as events including a schema to the events and extracting fields defined by the schema including a source of the event data and a source type for the event data [i.e., entity identifying elements] and indexing and storing them and establishing associations between the entity and machine data [i.e., classified]), the classified entity identifier element comprising an entity identifier element type, the entity identifier element type providing a representation of a particular attribute associated with the entity identifier element (Coates, [0152] and [0153], see processing machine data to represent machine data as events including a schema to the events and extracting fields defined by the schema including a source of the event data and a source type for the event data [i.e., entity identifying elements] and indexing and storing them and establishing associations between the entity and machine data [i.e., classified]);

associating the classified and normalized entity identifier element and the temporal information with the entity to resolve the identity of the entity at a particular point in time (Coates, [0152], see processing the raw data from the events including a timestamp for the event data; a host from which the event data originated; a source of the event data; and a source type for the event data, which are associated with an entity; and Coates, [0187], see the ability to the associating determining whether the classified and normalized entity identifier element matches a known entity identifier element type (Coates, [0154], see specifying an entity type for an entity; and Coates, [0158], see being able to search for entities by the entity type, which means entities (and their associated identifiers] have been linked to entity types); and,
performing a security analysis operation, the security analysis operation using the resolved identity of the entity at the particular point in time to assess a risk associated with the entity (Coates, [0410], see running a search and indicating a security threat or operational problem; Coates, [0152], see processing the raw data from the events including a timestamp for the event data; a host from which the event data originated; a source of the event data; and a source type for the event data, which are associated with an entity; and Coates, [0187], see the ability to search within a time range, which means a time/temporal element is associated with the respective entities).
On the other hand, Shiraishi discloses normalizing the classified entity identifier element to provide a classified and normalized entity identifier element, the classified and normalized entity identifier element comprising a type-dependent normalized entity identifier element (Shiraishi, Col. 23, lines 1-12, see normalized entity registration process, where an entity type is assigned to each entity registered as the normalized entity, where, thus, the normalized entity is then based on the entity-type it’s assigned to; and Shiraishi, Col. 26, lines 66-67, see the respective normalized entities, an entity type is selected and set from a list, where, again, the normalized entity is then based on the entity-type selected).  It would have been obvious to one of ordinary skill in the art at the time the invention was filed to incorporate 
Claim(s) 7 and 13 recite(s) similar limitations to claim 1 and is/are rejected under the same rationale.
With respect to claim 7, Coates discloses a system comprising:
a processor (Coates, [0481] and [0482], see processor);
a data bus coupled to the processor (Coates, [0481], see bus); and
a non-transitory, computer-readable storage medium embodying computer program code (Coates, [0481], see memory]).
With respect to claim 13, Coates discloses a non-transitory, computer-readable storage medium embodying computer program code (Coates, [0481], see memory]).

Claims 2, 8 and 14
With respect to claims 2, 8 and 14, the combination of Coates and Shiraishi discloses wherein:
the temporal information is associated with an event of the plurality of events associated with a particular point in time (Coates, [0152], see processing the raw data from the events including a timestamp for the event data; a host from which the event data originated; a source of the event data; and a source type for the event data, which are associated with an 

Claims 3, 9 and 15
With respect to claims 3, 9 and 15, the combination of Coates and Shiraishi discloses wherein:
the temporal information comprises temporal event information, the temporal event information being associated with a particular event of the plurality of events (Coates, [0152], see processing the raw data from the events including a timestamp for the event data; a host from which the event data originated; a source of the event data; and a source type for the event data, which are associated with an entity; and Coates, [0187], see the ability to search within a time range, which means a time/temporal element is associated with the respective entities).

Claims 4, 10 and 16
With respect to claims 4, 10 and 16, the combination of Coates and Shiraishi discloses wherein:
the temporal event information comprises content, the content comprising at least one of text, unstructured data, structured data, a graphical image, a photograph, an audio recording, and a video recording (Coates, [0152], see processing the raw data from the events including a timestamp for the event data; a host from which the event data originated; a source of the event data; and a source type for the event data, which are associated with an entity; and 

Claims 5, 11 and 17
With respect to claims 5, 11 and 17, the combination of Coates and Shiraishi discloses wherein:
the temporal event information comprises metadata associated with the content, the metadata comprising a temporal event attribute for the content (Coates, [0152], see processing the raw data from the events including a timestamp for the event data; a host from which the event data originated; a source of the event data; and a source type for the event data, which are associated with an entity; and Coates, [0187], see the ability to search within a time range, which means a time/temporal element is associated with the respective entities).

Claims 6, 12 and 18
With respect to claims 6, 12 and 18, the combination of Coates and Shiraishi discloses wherein:
the normalizing provides an implicit identifier pair associated with the normalized entity identifier element (Coates, [0152] and [0159]; Coates; [0394]; Coates, [0433]; and Coates, [0462]).

Claim 19
With respect to claim 19, the combination of Coates and Shiraishi discloses wherein:
the computer executable instructions are deployable to a client system from a server system at a remote location (Coates, [0121], see client).

Claim 20
With respect to claim 20, the combination of Coates and Shiraishi discloses wherein:
the computer executable instructions are provided by a service provider to a user on an on-demand basis (Coates, [0107] and [0108], see real-time).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
– Boe et al. for creating an entity definition from a file;
– Fletcher et al. for defining a graphical visualization along a time-based graph lane; and
– Rodriguez et al. for a policy-based management of a redundant array of independent nodes.

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 

Point of Contact
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUBERT G CHEUNG whose telephone number is (571) 270-1396.  The examiner can normally be reached on M-R 8:00A-5:00P EST; alt. F 8:00A-4:00P EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Neveen Abel-Jalil can be reached on (571) 270-0474.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-




Examiner: Hubert Cheung
/Hubert Cheung/Assistant Examiner, Art Unit 2152Date: June 24, 2021

/NEVEEN ABEL JALIL/Supervisory Patent Examiner, Art Unit 2152